COMMAND
SQL Server users passwords cryptanalysis whitepaper and tool
SYSTEMS AFFECTED
SQL 7, 2000 and other ?
PROBLEM
David Litchfield of NGSSoftware Insight Security Research posted a
whitepaper and tool that expose weakness in the encryption scheme of
SQL server user\'s passwords.
\" The paper discusses the manner in which they are hashed (the
passwords) and how they can be more easily brute forced as two hashes
are stored: a case sensitive password hash and an upper case password
hash are produced. Needless to say, when auditing password strength, it
is far easier to go after the UPPER cased version. The paper contains
also contains some demonstration source code for performing a
dictionary based audit against the hashes and NGSSoftware have produced
an optomized GUI based tool, as well. \"
Get it from :
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf
http://www.nextgenss.com/products/ngssqlcrack.html
Update (10 July 2002)
======
Toni Lassila [toni.lassila@mc-europe.com] comments on :
An added weakness that has not been widely noted: If you select a
case-insensitive collation for your SQL Server installation, the user
accounts and passwords will be case insensitive as well. This means
there is a good chance any given SQL Server will have very weak
passwords.
You can verify if you are operating with case-insensitive passwords by
running this query:
Select SERVERPROPERTY(N\'Collation\')
If the name of the collation setting contains \'CI\' instead of \'CS\',
all your SQL login passwords are case-insensitive.
Update (15 July 2002)
======
Patrik Karlsson has released a decoder under GPL (Linux & Win32 ) :
http://www.cqure.net/tools10.html
SOLUTION
?